diff options
author | Casey Deccio <casey@deccio.net> | 2021-01-08 00:46:53 +0300 |
---|---|---|
committer | Casey Deccio <casey@deccio.net> | 2021-01-09 03:07:33 +0300 |
commit | 8f4080c53cf7fe10b0a8eac59e94a796ab3d99fb (patch) | |
tree | 003a578cba282ae62de92f3ec0b7850e18610a64 /doc | |
parent | 992baacead282d4f927cdc2ac56a2ba0005e8457 (diff) |
Allow prohibited algorithms to be considered with command-line option
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man/dnsviz-graph.1 | 8 | ||||
-rw-r--r-- | doc/man/dnsviz-grok.1 | 8 | ||||
-rw-r--r-- | doc/man/dnsviz-print.1 | 8 |
3 files changed, 24 insertions, 0 deletions
diff --git a/doc/man/dnsviz-graph.1 b/doc/man/dnsviz-graph.1 index 2e49755..6971750 100644 --- a/doc/man/dnsviz-graph.1 +++ b/doc/man/dnsviz-graph.1 @@ -93,6 +93,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid diff --git a/doc/man/dnsviz-grok.1 b/doc/man/dnsviz-grok.1 index c6773f7..c9a441d 100644 --- a/doc/man/dnsviz-grok.1 +++ b/doc/man/dnsviz-grok.1 @@ -89,6 +89,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid diff --git a/doc/man/dnsviz-print.1 b/doc/man/dnsviz-print.1 index 0499e1d..6091405 100644 --- a/doc/man/dnsviz-print.1 +++ b/doc/man/dnsviz-print.1 @@ -93,6 +93,14 @@ unknown. Additionally, when a zone has only DS records with unsupported digest algorithms, the zone is treated as "insecure", assuming the DS records are properly authenticated. .TP +.B -b, --validate-prohibited-algs +Validate algorithms for which validation is otherwise prohibited. Current +DNSSEC specification prohibits validators from validating older, weaker +algorithms associated with DNSKEY and DS records (see RFC 8624). If this +option is used, then a warning will be still be issued for DNSSEC records that +use these older algorithms, but the code will still assess their cryptographic +status, rather than ignoring them. +.TP .B -C, --enforce-cookies Enforce DNS cookies strictly. Require a server to return a "BADCOOKIE" response when a query contains a COOKIE option with no server cookie or with an invalid |